On Tue, Nov 30, 2004 at 07:15:44AM -0800, Eric Rescorla wrote:
> SSL has all three of these modes, actually, so perhaps the question
> you want to ask is why noone uses #3. The main argument against it is
> that it's about half as fast (on the server) in the best case because
> you need to do both a signature and a key exchange operation.
> On the client it's *much* slower because RSA public-key encryption
> is very fast (private-key decryption is much slower).
>
The third mode is quite common for STARTTLS with SMTP if I am not
mistaken. A one day sample of inbound TLS email has the following cipher
frequencies:
8221 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
6529 (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
186 (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits))
117 (using TLSv1 with cipher RC4-SHA (128/128 bits))
59 (using SSLv3 with cipher RC4-SHA (128/128 bits))
40 (using SSLv3 with cipher DES-CBC3-SHA (168/168 bits))
28 (using TLSv1 with cipher RC4-MD5 (128/128 bits))
16 (using SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
14 (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits))
1 (using SSLv3 with cipher RC4-MD5 (128/128 bits))
1 (using SSLv2 with cipher DES-CBC3-MD5 (168/168 bits))
it is my perhaps misguided impression that the both the EDH and the DHE
cipher-suites provide PFS. Is there in fact a difference between EDH
and DHE?
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
